From e10a51558ecf55a3bccba861be4acfb7188ccf78 Mon Sep 17 00:00:00 2001
From: Thales Maciel <thales@thalesmaciel.com>
Date: Thu, 29 Jan 2026 16:49:54 -0300
Subject: [PATCH] Harden kill script and DNS config

---
 README.md |  1 -
 kill.sh   | 10 ++++++++++
 run.sh    |  9 +++------
 3 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index c19ef26..7fed2ba 100644
--- a/README.md
+++ b/README.md
@@ -25,7 +25,6 @@ Minimal Firecracker launcher.
 - `--vcpu`: defaults to 2, max 16.
 - `--ram`: MiB, defaults to 1024, max 32768.
 - `--disk-size`: M/G suffixes supported; must be >= base `rootfs.ext4` size. Requires `resize2fs`.
-- `DNS_SERVERS`: optional env var for resolv.conf (default: `1.1.1.1`). Requires `debugfs`.
 
 ## SSH
 ```
diff --git a/kill.sh b/kill.sh
index 155179d..d03a30b 100755
--- a/kill.sh
+++ b/kill.sh
@@ -77,10 +77,20 @@ fi
 
 INFO_FILE="$(find_vm_info "$QUERY")"
 PID="$(get_prop "$INFO_FILE" "pid")"
+API_SOCK="$(get_prop "$INFO_FILE" "api_sock")"
 if [[ -z "$PID" ]]; then
   log "pid not found in $INFO_FILE"
   exit 1
 fi
+if [[ -z "$API_SOCK" ]]; then
+  log "api_sock not found in $INFO_FILE"
+  exit 1
+fi
+
+if ! ps -p "$PID" -o comm=,args= 2>/dev/null | rg -q "firecracker.*--api-sock $API_SOCK"; then
+  log "pid $PID does not match a running VM"
+  exit 1
+fi
 
 log "sending SIG$SIGNAL to pid $PID"
 sudo kill "-$SIGNAL" "$PID"
diff --git a/run.sh b/run.sh
index f4b3799..70d7a89 100755
--- a/run.sh
+++ b/run.sh
@@ -42,7 +42,7 @@ MAX_VCPU=16
 MIN_RAM=256
 MAX_RAM=32768
 MAX_DISK_BYTES=$((128 * 1024 * 1024 * 1024))
-DNS_SERVERS="${DNS_SERVERS:-1.1.1.1}"
+DNS_SERVER="1.1.1.1"
 
 VCPU_COUNT="$DEFAULT_VCPU"
 RAM_MIB="$DEFAULT_RAM"
@@ -266,10 +266,7 @@ if ! command -v debugfs >/dev/null 2>&1; then
   exit 1
 fi
 RESOLV_TMP="$VM_DIR/resolv.conf"
-printf '' >"$RESOLV_TMP"
-for ns in ${DNS_SERVERS//,/ }; do
-  printf 'nameserver %s\n' "$ns" >>"$RESOLV_TMP"
-done
+printf 'nameserver %s\n' "$DNS_SERVER" >"$RESOLV_TMP"
 debugfs -w -R "write $RESOLV_TMP /etc/resolv.conf" "$DISK_PATH" >/dev/null 2>&1 || {
   log "failed to write /etc/resolv.conf into rootfs"
   exit 1
@@ -340,7 +337,7 @@ log "configuring machine"
 
 # Boot source
 log "configuring boot source"
-KCMD="console=ttyS0 reboot=k panic=1 pci=off root=/dev/vda rw ip=${GUEST_IP}::${BR_IP}:255.255.255.0::eth0:off hostname=${VM_NAME}"
+KCMD="console=ttyS0 reboot=k panic=1 pci=off root=/dev/vda rw ip=${GUEST_IP}::${BR_IP}:${DNS_SERVER}:255.255.255.0::eth0:off hostname=${VM_NAME}"
 
 "${CURL_CMD[@]}" --unix-socket "$API_SOCK" -X PUT http://localhost/boot-source \
   -H "Content-Type: application/json" \